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For this issue, James Cheney describes nominal logic, an approach to solve the problems involved 
with reasoning about bindings in formal languages that has been gaining in popularity in recent 
years, and surveys its major application areas. 

I am always looking for contributions. If you have any suggestion concerning the content of the 
Logic Column, or — even better — if you would like to contribute by writing a column, please feel 
free to get in touch with me. (Please note that my contact information has changed.) 
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Q ; 1 Introduction 

A great deal of research in programming languages, type theory, and security is based on proving 
^ ' properties such as strong normalization, type soundness or noninterference by induction or co- 

' induction on the structure of typing derivations, operational semantics rules, or other syntactic 

constructs. Such proofs are essentially combinatorial in nature, usually involving 0(nP) cases, 
where n is the number of syntactic constructs, typing rules, operational transitions, etc., and p is 
small. Usually, only a small number of cases are "interesting" , and published proofs often give only 
a few illustrative cases. This provides little assurance that a proof is correct. It is widely felt that 
machine assistance for constructing such proofs is desirable |6U1 15] . Providing such assistance is 
severely complicated by the problem of dealing with names and binding in abstract syntax. 

Logicians since Frege have grappled with the problem of dealing with the syntax of logical 
expressions. In mathematical logic textbooks it is not unusual to see a formal definition of the 
concrete syntax of the object-language as a particular set of strings over an alphabet including not 
only variables, function and predicate symbols, and logical connectives, but also punctuation such 
as parentheses, brackets, and commas. Then various technical lemmas such as the fact that a string 
may represent at most one formula, that parentheses match, etc. are proved, along with structural 

^(c) James Cheney, 2005. 
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induction principles. These results are necessary to show that the use of strings and punctuation 
to represent formulas satisfies our intuitions about the "real" structure of formulas. 

However, we now have both a highly developed theory and advanced programming techniques 
for taking care of these syntactic details automatically; many high-level programming languages 
(such as Prolog and ML) provide advanced features for parsing strings into abstract syntax trees 
and computing with the results. Nowadays it is more common (and by far more agreeable) to 
specify a logical or mathematical language using abstract syntax, that is, as a set of abstract syntax 
trees defined by an inductive construction. This has the positive effect of isolating the low-level 
technical details of parsing from the high-level hierarchical representations of terms which are most 
convenient for reasoning. Moreover, the theory of abstract syntax trees, term languages, etc., is 
now well-understood, so that a large number of definitions and results are standard and can be 
reused for any term language (and are usually taken for granted). 

While this approach works well for languages with variables, constants, and operator symbols, 
it does not work so well as soon as variable binding enters the picture. This is because variable 
binding and substitution interact in complex ways. Subtle errors can arise if care is not taken 
with definitions; this problem has plagued both famous logicians'^ and well-known programming 
languages.^ 

It is standard practice in mathematical logic to assume that there is some infinite set V of 
variable symbols, for example integers or strings, and to treat binding term constructors as ordinary 
function symbols taking variables as arguments or parameters. For example, the V symbol in a 
universally quantified formula Vx.(/9 may be viewed, from a syntactic point of view, as a binary 
function symbol forall : V x Prop Prop, or as a family of unary formula constructors (V3; : 
Prop — > Prop \ X & V) taking a formula as an argument. If one of these approaches is employed, 
then a number of basic syntactic definitions and results (such as the "alphabetic variance" or 
a-equivalence relation, capture-avoiding substitution function and related lemmas) again need to 
be proved in order to establish that this approach to implementing binding matches our intuitive 
understanding. 

Once these low- level details of binding have been presented and proved correct, mathematical 
rigor is usually reserved for high-level issues, and low- level syntactic and binding issues are left im- 
plicit. For example, the Barendregt Variable Convention is often taken for granted in mathematical 
exposition. After defining capture-avoiding substitution, renaming, and a-equivalence and proving 
their properties in detail, Barendregt states: 

2.1.13. Variable Convention. If Mi, ... , M„ occur in a certain mathematical context 
(e.g., definition, proof), then in these terms all bound variables are chosen to be different 
from free variables. 

At best, paper definitions or proofs signal the use of such a convention with a "without loss of 
generality"; at worst, the convention (and the argument that its use is sound) is implicit. While 
clear enough for human readers, however, such conventions still leave a considerable gap between 
mathematical exposition and correct formalizations or computer implementations of programming 
languages and logics involving names and binding j84| I85j . 

In this column, I will first survey the state of the art for solving these problems, and then present 
a new approach called nominal abstract syntax that has gained popularity since its introduction 
six years ago by Gabbay and Pitts. I will then discuss applications and future directions for this 
work. 

^including Hilbert and Ackermann |42| among others, according to Stoy |79| 
^for example, LISP's well-known "dynamic variable scoping" bug 
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Figure 1: Stoy diagram for \x.\y.{x y). 

2 Approaches to dealing with names and binding 

2.1 First-order abstract syntax 

In programming, abstract syntax with binding is usually implemented using ordinary abstract 
syntax techniques, and then defining capture-avoiding renaming/substitution and a-equivalence 
explicitly; that is, by making all the implicit syntactic manipulations explicit. This first-order 
abstract syntax approach requires explicit management of fresh name generation (e.g. using a 
side-effecting gensym function) as well as writing a lot of repetitive "boilerplate" code. Despite 
these drawbacks, it is by far the most popular technique for real compilers, interpreters, theorem 
provers, and other symbolic programs. However, reasoning about languages defined in this way is 
considered by most experts in this area to be impractical for all but the simplest examples, because 
of the large number of intermediate reasoning steps, renaming and substitution lemmas, etc. that 
must be verified. 

2.2 Name- free approaches 

Another popular technique for managing abstract syntax with binding is to use a name-free notation 
for functions. Name-free approaches have a long history, beginning with Schonfinkel's development 
of combinatory logic in the 1920s .71^, and have had considerable influence on both theory and prac- 
tice of logic and programming. Schonfinkel [J^ and later Curry and Feys \W\ \2()\ developed combi- 
natory logic, a logic of applicative expressions defined using rewriting rules. In combinatory logic, a 
A-term such as Xx.Xy.xy can be expressed as the combinator expression S{S{KS){S{KK)I)){KI); 
here S, K, and / are basic functional expressions with the same meaning as Xxyz.{xz){yz), Xxy.x, 
and Xx.x, respectively. N. G. de Bruijn ^] proposed two encodings (often called de Bruijn indices 
and de Bruijn levels) for the A-calculus which neatly circumvent the difficulties arising from a- 
equivalence by representing variables as integer references (or pointers) to their binding sites. For 
example, the de Bruijn index version of both Xx.Xy.xy and Xz.Xw.zw is AA21. Thus, a-equivalence 
collapses to syntactic equality. Stoy diagrams [721 are a graphical representation of A-terms often 
used to explain variable binding; an example is shown in Figure ^ 

Combinators and de Bruijn index representations are powerful and useful ideas; the former 
serves as the basis for efficient functional language implementations ^Sj; while the latter has been 
used as an efficient internal representation in many theorem provers (beginning with de Bruijn's 
AUTOMATH) and in efficient functional programming implementation techniques such as explicit 
substitutions pQ. Nevertheless, combinators can increase the size of an expression exponentially, 
and neither encoding is human-readable so neither is well suited for high-level programming or 
reasoning tasks. Moreover, name- free approaches by definition do not provide any assistance for 
dealing with free names. 
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2.3 Higher-order abstract syntax 

An elegant alternative is to employ higher-order abstract syntax (HOAS) [SJ- I^i this technique, we 
work with an enriched meta-language that provides some form of binding (such as the typed lambda- 
calculus). Variables and binding term constructors at the object level are encoded as variables and 
higher-order constants in the metalanguage. This is best illustrated by an example. Using higher- 
order abstract syntax, a quantified formula like Vx:N.P(x) would be encoded as for all {Xx.P x), 
where forall : {Nat Prop) Prop, P : Nat Prop. This powerful idea, first used in Church's 
higher-order logic [12j, is used in many advanced programming languages and logical frameworks 
(e.g. AProlog ^ and Twelf [HH among others ^^). 

However, in my opinion, higher-order abstract syntax is not without drawbacks, both from the 
point of view of programming with and reasoning about languages involving binding. The problems 
can be broken down into five areas: 

1. Higher-order abstract syntax is based on complex semantic and algorithmic foundations 
(higher-order logic 17 , recursive domain equations [77j, higher-order unification ^H]) so 
requires a fair amount of ingenuity to learn, implement and analyze [271 1431 171] . 

2. Properties of the metalanguage (such as weakening and substitution lemmas) are inherited 
by object languages, whether or not this is desirable; this necessitates modifications to handle 
logics and languages with unusual behavior. Examples include linear logic JO] and concur- 
rency [86] . 

3. Variable names are "second class citizens"; they only represent other object-language expres- 
sions and have no existence or meaning outside of their scope. This complicates formalizing 
languages with generativity (for example, datatype names in ML), program logics with mu- 
table variables such as Hoare logic [HJI or dynamic logic (44) and translations such as closure 
conversion that rely on the ability to test for name-equality. 

4. Higher-order language encodings are often so different from their informal "paper" presenta- 
tions that proving "adequacy" (that is, equivalence of the encoding and the real language) 
is nontrivial, and elegant-looking encodings can be incorrect for subtle reasons. Hannan |39j 
developed and proved partial correctness of a closure conversion translation in LF, but did not 
prove adequacy of the encoding; careful inspection suggests that it is not adequate. Abel [2] 
investigated an elegant and natural-seeming but inadequate third-order and less elegant but 
adequate second-order HOAS encoding of the A/i-calculus. 

5. Higher-order abstract syntax is less expressive than first-order abstract syntax: it apparently 
cannot deal with situations involving "open terms" mentioning an indefinite number of free 
variables. For example, HOAS apparently cannot model the behavior of ML-style let-bound 
polymorphism as usually implemented 41 , though a simulation is possible (40) . 

To be fair, when it works, higher-order abstract syntax is highly satisfying and clearly superior to 
first-order abstract syntax, and research on higher-order abstract syntax has shown that many of 
these problems can be alleviated. In addition, any of these properties can also be seen in a more 
positive light: 

I. Higher-order abstract syntax is based on powerful and elegant semantic and algorithmic foun- 
dations (higher-order logic, recursive domain equations, higher-order unification) involving 
deep ideas of computer science and logic. 
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II. Properties of the metalanguage (such as weakening and substitution lemmas) are inherited 
by object languages, thus saving a lot of work re-proving them for typical languages. 

III. Programmers do not have to painstakingly re-implement efficient fresh name generation, a- 
equivalence, or capture-avoiding substitution operations, freeing them to focus on high-level 
problems. 

IV. Higher-order language encodings encourage "refactoring" object-languages in a way that 
makes all variable binding explicit; the results are often much more elegant and uniform 
than "paper" versions. 

V. Higher-order abstract syntax encourages "one binding at a time" definitions and proofs, and 
discourages complicated (and frequently unnecessary) reasoning about open terms. 

I am not arguing that points (1-5) are right and (I-V) are wrong (or vice versa); both views have 
merit. Anyone interested in formalizing programming languages or logics should consider higher- 
order abstract syntax, because it enjoys several mature implementations such as Twelf and AProlog. 
Nevertheless, I believe it is worthwhile to investigate alternatives. 

3 Nominal abstract syntax 

Recently, Gabbay and Pitts [351 136j have developed an alternative approach to abstract syntax with 
binding. This approach is based on the idea of taking names to be an abstract but first-class data 
type, and name-binding (or name-abstraction) to be an abstract data type construction involving 
the type of names and an arbitrary type. Thus, as in first-order abstract syntax, names denote 
semantic values, and are not just syntactic entities; on the other hand, like higher-order abstract 
syntax, access to the internal representations of names and name-binding operations is restricted 
so that low-level implementation issues are separated from high-level concerns. I call this approach 
nominal abstract syntax, because of its focus on names. 

The key technical insight in nominal abstract syntax is the fact that one-to-one (or, equivalently, 
invertible) renamings can play a central role in explicating name-binding (and, in fact, many other 
uses of names). At an intuitive level, the reason is that in many situations, the only properties of 
names that are of interest are equality /inequality among names and freshness, that is, the property 
that a name does not appear "free" in a term. Non-invertible capture-avoiding renamings do pre- 
serve equality (e.g., t = u implies t[x/y] = u[x/y]) but may not preserve inequality or freshness. For 
example, x ^ y but x[x/y] = x = y[x/y], and x FV{\x.f x y) but x[x/y] = x e FV{\x' .f x' x) = 
FV{{Xx.f X y)[x/y]). Invertible renamings, on the other hand, preserve all of these properties: for 
example, writing (—){x-<^y) for simultaneous capture-avoiding substitution of x for y and y for x, 
we have x{x^y) = y ^ x = y{x^y) and x{x^y) = y ^ FV{\x' .f x' x) = FV{{Xx.f x y){x^y)). 

Although an approach based on invertible renamings may seem unnatural to modern logicians 
and computer scientists, Gabbay and Pitts were not the first to recognize the importance of in- 
vertible renamings. Permutations are frequently used to define the equivalence class of alphabetic 
variants of an object (e.g., in logic programming, two logic program clauses or unifiers which differ 
only by a permutation of variables are equivalent; graphs and automata are considered equivalent 
up to invertible renaming of state names). Also, in a formalization of the A-calculus, McKinna 
and Pollack |S2] identified invertible renamings as an important concept that can be used to define 
a-equivalence. 

In fact, the basic idea of using one-to-one renamings to understand name-binding dates to 
Frege's Begriffsschrift, the first systematic treatment of symbolic predicate logic. In Frege's work, 
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bound names were syntactically distinguished from unbound names: the former were written using 
German letters a, b,c, and the latter using Roman (italic) letters x,y,z. For Frege, bound names 
were subject to renaming using the following principle: 

. . . Replacing a German letter everywhere in its scope by some other one is, of course, 
permitted, so long as in places where different letters initially stood different ones also 
stand afterward. This has no effect on the content. [29^ 

On the other hand, Frege did not give a completely explicit formal treatment of substitution, and 
as a result much of the complexity resulting from the interaction of substitution and name-binding 
was hidden. 

Gabbay and Pitts' original approach was based on ideas from Fraenkel-Mostowski permutation 
models of set theory (FM set theory) 2^^2,,4Z|! originally developed as an early attempt to prove 
the independence of the Axiom of Choice from ZF-set theory. In fact, Gabbay and Pitts' work was 
carried out in a form of FM set theory that does not satisfy the Axiom of Choice. While this is 
a very interesting approach, it has led many observers to believe that nonstandard FM set theory 
and rejection of the Axiom of Choice is necessary for working with nominal abstract syntax, not 
just sufficient. 

This is not the case; Pitts [HHl showed that the basic principles of nominal abstract syntax 
can be formalized as nominal logic, an extension of typed first-order equational logic that can be 
analyzed within ZFC just like any other logic. In this approach, there is no conflict with the Axiom 
of Choice or the mainstream foundations of mathematics. On the other hand, nominal logic lacks 
some of the Choice-like properties of first-order logic (such as unrestricted Skolemization) , but this 
is not a foundational problem. 

In the rest of this section I will provide a brief overview of nominal abstract syntax and nominal 
logic, followed by an example of reasoning in nominal logic. Much more detail can be found in the 
papers [HSl ED IMl US • 

3.1 Nominal logic 

The key ingredients of nominal logic are: 

• a syntactic class of names a, b, . . . G A, partitioned into name-types i/, v' , . . ., 

• a swapping operation {a b) • t that swaps two names of the same type within an value, 

• a freshness relation a t that relates a name to a value when the name does not appear 
"free" in the value, 

• an abstraction operation {a)t that binds a name within an value, and admits equality up to 
a-equi valence, and 

• a self-dual new- quantifier \Aa:u.ip that quantifies over all fresh names (equivalently, some 
fresh name) of type v. 

In addition, nominal logic embodies two key logical principles: 

• Fresh name generation. A name fresh for any value (or for each of finitely many values) 
can always be found. 

• Equivariance. Relations are invariant up to swapping; the choice of particular names in a 
formula is irrelevant. 
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The syntax of nominal logic is as follows 



(Types) a ::= i' \ S \ {v)a 

(Contexts) S ::= -I E,x:it | Ti^a-.u 

(Terms) t ::= a | c | f{t) \ x \ {a b) • t \ {a)t 

(Atomic formulas) A ::= p{t) | t « it | a # i 

(Formulas) (p ::= A \ ip z:) ijj \ ± \ \/x:a.ip \ \/\a:v.(p 



A language C consists of a set of data types 5, name types v, constants c : 5, function symbols 

f : a ^ 6, and relation symbols p : a ^ o. Well-formed terms and atomic formulas are defined as 
follows: 

a:i^€T, x : a e E c : 6 € £ f ■'^^S eC^ Eht-.a E\- a:iy T.'rt-.a 

Sha:z^ Shxio- Shc:5 Sh f{t) -.5 S h {a)t : {u)a 

Eha:t/ £h6:;y Sht:a Eht:a S h -» : a J^hg-.u J: h t : a P-^^o&C_ Sh^:a 

(ab)-t:a S h t « : o T,\-a#t:o Eh p{t) : o 

Here we write o for the type of propositions; however, quantification over types mentioning a is 
not allowed. Well-formedness for the first-order connectives are defined in the usual way; well- 
formedness for \Aa:v.ip is defined as for \/a:v.(p. Other formulas such as truth T, conjunction (p Aip, 
disjunction pV tp, logical equivalence (p ijj, and existential quantification 3x:a.(p are defined 

as usual in classical logic. 

While ordinary capture-avoiding renaming/ substitution needs to be defined carefully to prevent 
variable capture, invertible renamings can be defined by a simple structural induction: 

(a b) • a = b (a b) • c = c 

(ab)-b = a (a b)-/(ti,...,t„) = /((a b) • ti, . . . , (a b) • t„) 

(a b) • a' = a' {a ^ a' ^ b) (a b) • {a')t = ((a b) • a')(a b) • t 

Note that the names appearing in "binding" positions of abstractions are not a-renamed prior to 
applying a swapping; instead, the swapping is applied to both the name and body. This would be 
incorrect for a non-invertible renaming, e.g. 

{\x.y)[x/y] = Xx' .X ^ Xx.x = X{x[x/y]).y[x/y] 

however, invertibility ensures that "variable capture" is avoided: 

(a b) • ((a)b) = (b)a = ((a b) • a)(a b) • b 

That is, invertible renamings are inherently capture-avoiding. 

Next, we define what it means for a name to be independent of (or fresh for) a term. Intuitively, 
a name a is fresh for a term t (that is, a ^ t) \i t possesses no occurrences of a unenclosed by an 
abstraction of a. We define this using the following inference rules: 

(a ^ b) ha#t^ (i = l,...,n) ha#b ha#t 

ha#b ha#c ha #/(ti,...,t„) H a # (b)t H a # (a)t 

We sometimes refer to the set of "free" names of a term FN it) = A — {a | a # as its support. 

Finally, we define an appropriate equality relation on nominal terms that identifies abstractions 
up to "safe" renaming. 

\-tiKiUi {i = 1, . . . ,n) \-t^u \- a#u \- t ^ {a h) • u 

haR^a hcsac h f{ti, . . . , tn) ~ f{ui, . . . , Un) \- {a)t !^ {a)u h {a)t (b)n 
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For example, (a)/(a,b) ^ (c)/(c, b) 96 (b)/(b, a); the first equation is derived as follows: 



Ha#c ha#b h a ^ a h b w b 
ha#/(c,b) K/(a,b)^/(a,b) 
h(a)/(a,b)«(c)/(c,b) 

The second rule for abstraction may seem asymmetric because we do not check that b # t. In fact, 
this check is redundant: If a # t and t ^ {a b) • u, then a # (a b) • tt; by applying the swapping 
(a b) to both sides, we get b 7^ ti, since (a b) • a = b and (a b) • (a b) • n = u. (It is straightforward 
to show that a # t implies (6 b') • a # {b b') • t for any a, 6, 6', t). 

Nominal logic proper consists of first-order logic extended with a first-order axiomatization of 
swapping, freshness, and abstraction, and with a new form of quantified formula, V\a.(p. For the 
purposes of this column, we restrict attention to term models of nominal logic, in which function 
symbols and constants are interpreted as themselves (with swapping and abstraction having the 
special meanings given by the above rules). The intended objects of study in nominal logic are 
usually terms, and focusing on term models means that we can avoid some model-theoretic subtleties 
(for more on this issue, see |12j). 

Since there is no choice in the interpretation of the constants and function symbols, a term 
model M. can be represented as a set of ground atomic formulas A\ we require that this set be 
closed under renaming, so that (a 6) • j4 G if and only \i A ^ M. For term models, the semantics 
of closed nominal logic formulas can be defined as follows: 

\- t^u 
\- a # u 

A4 \= if implies A4 \= ip 
M. 1= ip{t) for every t : a 
M. ^ 9j(a) for some a : ^ FN{(f{a)) 

As an example, we consider the following (valid) property of nominal logic: 

1= Va, b:iy, x:(T. a ^ x Ab ^ x D (a b) • x ^ x 

To verify the validity of this formula, it suffices to show by structural induction on terms t that for 
any concrete names a,b ^ t, (a b) • t ~ This is straightforward for all but the abstraction cases; 
for abstractions, if the abstracted name is a or b, then the second equality rule for abstractions 
must be used. 

We next establish further properties of nominal logic mentioned above. In particular, it is easy 
to show by induction (on n-tuples of terms t) that the freshness principle 

(F) \/x. 3a:i/.a # x 

is valid. Similarly, it is straightforward to show by induction on ip that the equivariance principle 

(EV) if ^ {ab)-ip 

is valid. We also made the (possibly counterintuitive) claim that 1/1 is self-dual; that is, ^\Aa.<p{a) <^=^ 
V\a.^if{a). To prove this, suppose ^ V\a.if{a). Then for every a FN{Lp{a)), M. \f y'(a). Since 



A 

M\=t^u 
M\= a#u 
M\= (f D ip 
M. \= \/x:a.ip{x) 
M 1= \Aa:v.ip{a) 
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FN{ip{a)) is finite and A is infinite, we may choose a particular a ^ FN{ip{a)) such that A4 ^ V2(a). 
Hence, M \= -'ip{a), and since a ^ FN{ip{a)) we can conclude that 1= \Aa.^ip{a). Using similar 
reasoning it is not difficult to show that 

\Aa.ip{a,x) <^=^ 3a.a # X A ip{a,x) <^=^ Va.a ^ x D ip{a,x) 

Because of this self-duality property, we can use particularly simple proof rules for the 1/1- 
quantifier. For example, sequent-style rules have the following form: 

S#a : r ^ ip(a) S#a : F, ^(a) C 

S : r ^ \Aa.ip{a) S : T, \Aa.ip{a) =^ C 

Here, the context S contains variables (introduced as V or 3 parameters) and names (introduced by 
the l/l-rules). The context S^a indicates that a is assumed to be distinct from all names in S and 
fresh for all values of variables in S. intuitively, these rules state that to either prove a l/l-quantified 
conclusion or make use of a l/l-quantified hypothesis, it suffices to instantiate the conclusion or 
hypothesis with a completely fresh name and proceed. In the example to follow, we won't be 
completely formal about proofs in nominal logic; instead we will reason at the semantic level about 
term models. More detail about the proof theory can be found in the papers |34 | I15j. 



3.2 A theory of the syntax of the A-calculus 

As an example of the expressiveness of nominal logic, we show how the abstract syntax of the A- 
calculus can be formalized as a theory Fa of nominal logic. We also prove some simple properties 
concerning capture-avoiding substitution. We consider a language including one data type exp for 
A-terms, one name-type var for A-calculus variable names, and the following function symbols: 

var : var exp 
lam : (var) exp exp 
app : exp x exp exp 

We use o, b, c for variables of type var, and M, N for variables of type exp. Since we are interpreting 
nominal logic over syntactic models only, we assume the following axioms expressing that var, lam, 
and app are injective functions, and their ranges are disjoint: 



var{a) ~ var{h) D a ^ b (1) 

app{M, N) « app{M', N') D M M' A N ^ N' (2) 

lam{M) ^ lam{M') M M' (3) 

var{a) 96 app{M, N) (4) 

var{a) 96 lam{M) (5) 

app{M, M') 96 lam{N) (6) 



Let P{x) be a formula with a free parameter x:exp (and possibly other parameters). We can 
express a structural induction principle over expressions as follows: 

{Kind) (Va:var. P{var{a))) 

A (VM, A^:exp. P{M) A P{N) D P{app{M, N))) 

A (Ha:var.VM:exp. P{M) D P{lam{{a)M))) 

D Vx:exp. P{x) 
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typ{G,var{X),T) 
typiG,appiM,N),T') 
typ{G, lam{{a)M),arr{T, T')) 



- mem{{X,T),G). 

- typ{G,M,arr{T,r)),typ{G,N,T). 

- x#G,typ([(a,r)|G],M,r'). 



subst{var{a), P, a, P). 
subst{var{b), P, a,var{b)). 

subst{app{M, N),P, a, app{M', N')) :- subst{M, P, a, M'), subst{N, P, a,N'). 

subst{lam{{b)M),P,a,lam{{b)M')) :- b # P, subst(M, P,a, M'). 

Figure 2: Simple Horn clause definitions 

Note that FV(yM:exp. P{M) D P{lam{{a)M))) = {a] U FV{P), so the l/l-quantified name a in 
the third case must be fresh for any additional parameters of P. 

The axioms ©-(jHl together with all instances of (Aj^^) form the theory Fa- This theory is valid 
in any term model M for the language A. Moreover, we can extend the language with additional 
atomic formulas defined by Horn clauses, as a consequence of a version of Herbrand's Theorem for 
nominal logic jl2j : 

Theorem 1. Let Ri, . . . , Rn he fresh relation symbols and let T he a set of nominal Horn clauses, 
that is, closed formulas of the form 

l/la.Vx.^i (a, x) A ... A A„(a,x) D Ri(i{a,x)) 

where ^i,... ,An are either freshness, equality, or Ri formulas. Then F has a unique least term 
model M.. 

Nominal Horn clauses are also written in a Prolog-like notation, in which l/l-quantified variables 
are replaced by constant names: 

Ri{t{a,x)) :- Ai{a,x), . . . , A„(a,x) 

For example, Figure |21 shows a typechecking judgment and a relation defining capture-avoiding 
substitution. (We also use Prolog-like notation for lists and a list membership predicate mem.) 
Reading b ^ N as b ^ FV{N), the axioms for subst correspond precisely to Barendregt's relational 
definition of capture-avoiding substitution 5j. 

It is inconvenient to work exclusively with relations, so we introduce a recursive definition 
principle which justifies adding function symbols to the language. First, we observe that nominal 
logic has a limited Skolemization property: 

Theorem 2. If M \= \/x:a.3\y:a' .F{x,y), then we may consistently extend the language with a 
constant f : a ^ a' satisfying Vx:(T.F(x, /(x)). 

Suitable generalizations to multiple-argument functions also hold. 

It is not difficult to show that the subst relation defined in Figure [21 is total and functional in 
its first three arguments, so we can Skolemize it as —{—/—} : exp x exp x var exp satisfying the 
following properties: 

Ha:var.VA^:exp. var{a){N/a} ^ N (7) 
l/la:var, 6:var.VA^:exp. var{b){N/a} ^ var{b) (8) 
l/la:var.ViV, Mi, M2:exp. app{Mi, M2){N/a} ^ appiMi{N/a}, MajiV/a}) (9) 
l/la:var.l/16:var.ViV, M:exp. b# Nd lam{{b)M){N/a} « lam{{b) M {N / a}) (10) 
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The /3-reduction and r/-reduction relations are also definable, using the following formulas: 

appilam({a)M),N) M{iV/a} 
(??) \jM\Aalam{{a)a'p'p{M,a)) -^r, M 

along with reflexivity, transitivity, symmetry, and congruence properties, if desired. Note that the 
implicit constraint a ^ M arising from the quantifier ordering in (77) corresponds to the traditional 
side-condition a ^ FV(M) on r^-reduction. 

We now prove two elementary properties of capture-avoiding substitution. 

Proposition 3. ^ Va:var, N, M:exp. a# M D M{N/a} ^ M. 

Proof. Proof is by the structural induction principle (Aind) applied to M. If M ~ var{b), then 
we must have a ^ h since var is injective. So M{N/a} ~ var{b){N / a} ~ var{b) ~ M. If 
M ^ app{Mi,M2), then a # M implies a # Mi,M2, so by induction, app{Mi,M2){N/a} ^ 
app{Mi{N/a},M2{N/a}) ^ app{Mi,M2). If M f» (b)M' for some fresh b # a, A^, then a # M', 
so by induction, M{N/a} ^ laml{b)M'){N/a} w lam{{b)M' {N/a}) ^ lam{{h)M') ^ M. □ 

Proposition 4. N Ha, 6:var.VM, iV, A^':exp. a # N' D M{N/a}{N'/b} ^ M{N' /b}{N{N' /b} /a} . 

Proof. Let a, b be fresh names. Proof is by the structural induction principle {Aind) applied to M. 
If M ~ var{c), then there are three cases, depending on whether c « a, c ~ b, or a # c 7^ b. If 
c a, then M{N/a} ^ N and M{iV7b} ^ var{a), so 

M{N/a}{N'/b} « N{N'/b} « var{a){N{N' /b}/a} « M{N' /b}{N{N' /b}/a} 

If c ~ b, then 

M{iV/a}{iV7b} ^ var{b){N'/b} ^ N' ^ iV'{iV{iV7b}/a} « M{iV7b}{iV{iV7b}/a} 

where N' = N'{N{N' /b}/a} because a # iV' (by Proposition 01) . If a # c # b then 

var{c){N/a}{N'/b} « var{c) ^ var{c){N' /b}{N{N' /b} /a} 

Next, if M = app{Mi, M2), then by induction we have 

Mi{N/a}{N'/b} w Mi{N'/b}{N{N'/b}/a} 
M2{A^/a}{iV7b} w M2{N'/b}{N{N'/b}/a} 

so we can calculate that 

app{Mi,M2){N/a}{N'/b} « app{Mi{N/a}{N' /b}, M2{N/a}{N' /b}) 

« app{Mi{N'/b}{N{N'/b}/a}, M2{iV7b}{iV{iV7b}/a}) 
^ app{Mi,M2){N' /b}{N{N' /b}/a} 

Finally, for the case of A-abstr action, suppose that c # a, b,N,N' and M ~ lam{{c)M'); the 
induction hypothesis is 

M'{iV/a}{iV7b} « Af'{Af7b}{iV{iV7b}/a} . 
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Under these assumptions, we can conclude 

lam{{c)M'){N/5}{N' /h} « lam{{c)M' {N / a}{N' /b}) 

« lam{{c)M'{N' /b}{N{N' 
« lam{{c)M'){N' /b}{N{N' /b}/5} . 

Note that the last step relies on the fact that since c # N,b, N', it follows that c # A^{A^'/b}. This 
completes the proof. □ 

The above proof should seem trivial, and this is the point: nominal abstract syntax facilitates a 
rigorous style of reasoning with names and binding that is close to intuition and informal practice. 
Moreover, it provides an equational theory for dealing with expressions involving names and binding 
using standard algebraic and logical techniques. This advantage is shared by name- free approaches 
such as combinatory logic or de Bruijn indices. However, the latter approaches rely on cleverly 
getting rid of explicit names. As a result, it can be awkward or impossible to reason about situations 
involving free names, and even when possible, such reasoning is very unlike informal reasoning. In 
contrast, we can reason directly with free names in nominal abstract syntax in a formal, yet intuitive 
way. 

More advanced approaches such as higher-order abstract syntax often provide properties like 
the substitution lemma above "for free", that is, as a consequence of the metatheory of the higher- 
order metalanguage. This means that for languages whose metatheory does not match that of the 
metalanguage, such properties must again be proved in detail, and higher-order abstract syntax is 
too high-level for this, since names and fresh name generation are no longer accessible. In contrast, 
nominal techniques require explicit definitions of and reasoning about substitution, but are more 
flexible. 



4 Applications 

4.1 Programming techniques 

Probably the most immediately useful application of nominal abstract syntax is in providing more 
advanced support for symbolic programming with languages with bound names. One obvious 
approach is to extend an existing programming language, with support for nominal abstract syntax, 
much as the languages AProlog, Twelf, MLx and Delphin (73j extend logic or functional 

programming paradigms with support for higher-order abstract syntax. 

PreshML |651 1751 176j is an extension of the ML programming language that provides built-in 
support for nominal abstract syntax. The main additions to the language are the let xrname = 
fresh construct, which chooses a fresh name and binds it to x, and the abstraction type/term 
constructor. Abstractions are considered equal up to a-renaming, and pattern matching against 
abstractions automatically freshens the bound name. In early versions of FreshML, a complicated 
type analysis was employed to ensure that name-generating functions were "pure" (side-effect-free) ; 
this analysis was found to be overly restrictive and has been dropped in recent versions resulting in 
a language that is more permissive but has side-effects. There are no constant names in FreshML; 
instead, names are always obtained via fresh name generation and manipulated via variables. On 
the other hand, in recent versions of PreshML, names may be attached to data such as strings and 
integers; also, data structures containing names may be bound, not just individual names. The 
current implementation is available as an extension to the Objective Caml language, and so inherits 
the mature compiler and libraries available for that language. 
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datatype lam = Var of name 

I Lam of <name>lam 
I App of lam * lam; 



datatype sem = L of (unit -> sem) -> sem 

I N of neu 
and neu = V of name 

I A of neu * sem; 

fun reify(L f) = let fresh x:name in 

Lam(<x>(reify(f (fn () => N(V x))))) 

I reify(N n) = reifyn n 

and reifyn (V x) = Var x 

I reif yn(A(n,d) ) = App(reifyn n, reify d) ; 



fun evals [] (Var x) 

I evals ( (x,v) : :env) (Var y) 

I evals env (Lam(<x>t)) 
I evals env (App(tl,t2)) 



N(V x) 

if X = y then v() 

else evals env (Var y) 

L(fn V => evals ((x,v)::env) t) 

case evals env tl 

of L f => f(fn => evals env t2) 
I N n = N(A(n, evals env t2)); 



fun eval t = evals [] t ; 
fun norm t = reify(eval t) ; 



Figure 3: Normalization by evaluation in FreshML 



Figure 121 shows an interesting example FreshML program (from Shinwell et al. ^|). It im- 
plements normalization by evaluation, an advanced technique for optimization that uses ML's 
higher-order features to simplify lambda-calculus expressions. In ordinary ML, fresh names must 
be generated by a user-defined gensym function; in contrast, in FreshML, built-in binding and 
fresh name generation can be used. In addition, although this program uses side-effects, it is not 
difficult to prove that it is actually a pure function (as one would expect). 

aProlog is a Prolog-like language that supports nominal abstract syntax; roughly speaking, it 
is to Prolog as FreshML is to ML. Unlike ordinary Prolog, aProlog is strongly typed. Some simple 
Horn clause programs involving A-terms were shown in Figure |21 Types in aProlog are useful for 
describing the binding structure of term languages, and help catch many more errors statically. The 
unification algorithm used in aProlog is essentially the nominal unification algorithm developed 
by Urban, Pitts, and Gabbay jHJ. In this algorithm (and in aProlog) names are treated as 
concrete constants, rather than requiring that names are only manipulated via variables. However, 
name constants in program clauses are not interpreted as global constants, but as l/l-quantified 
within the clause. Thus, two names appearing in the clause may be instantiated with any two 
other distinct names, but not with the same name. In particular, this means that freshness and 
inequality constraints between names and other data can be employed to correctly implement 
informal freshness side-conditions, as shown in the closure conversion example of Figure 0] 
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cconv{[x\G], var{x) , Env , pil (E)). 

cconv{[x\G],var{y), Env, E') :— cconv{G,var{y),pi2{Env), E'). 

cconv{G, app{Ti,T2), Env, E')) :— cconv{G, Ti, Ei), cconv{G, T2,Env, E2), 

E' = let{Ei, {c)app{pii{var{c)) , pair{E2, pi2{var{c)))) . 
cconv{G, lam{{x)T), Env, pair {lam{{y)E ),E)) 

:- x#G,y#G, 

cconv{[x\G],T, var{y), E'). 

Figure 4: Closure conversion in aProlog 

aProlog is an example of a nominal logic programming language, that is, its logical foundation is 
nominal logic. Initially, the connection between nominal logic as originally formulated by Pitts and 
the operational behavior of unification and proof search in aProlog was less than clear. Nominal 
logic as reformulated by Cheney |16| I12j (and presented in simplified form in this paper) now 
provides a robust logical and semantic foundation for aProlog; however, as currently implemented, 
aProlog is logically incomplete (that is, there are queries whose answers cannot be found, even in 
principle.) The reason is that aProlog's proof search and unification techniques address only the 
equational theory of nominal logic. Because of the equivariance principle, this is not enough; for 
example, the two atomic formulas p{a) and p{b) are logically equivalent but not provably equal as 
terms. 

There are two ways around this: solve the more general problem, or limit the programs so that 
the special case is enough. Both approaches have been explored. Complete proof search for general 
nominal logic programs requires solving equivariant unification problems |1H I13j. that is, unifying 
atomic formulas up to both a substitution for free variables and a name-permutation. This process 
is NP-complete and appears nontrivial to implement. Urban and Cheney |83j studied a fragment of 
nominal logic programs for which proof search based on nominal unification is complete. The idea 
of this result is that clauses that only manipulate bound names in simple ways are automatically 
equivariant, so explicit unification modulo equivariance is unnecessary. Although it excludes some 
interesting programs (such as closure conversion), this fragment includes many interesting aProlog 
programs, though slight modifications are sometimes necessary. 

It is important to point out that higher-order abstract syntax offers benefits for programming 
with names and binding that nominal abstract syntax still lacks; in particular, HOAS provides 
capture-avoiding substitution as an efficient, built-in operation, whereas nominal techniques typ- 
ically do not. But higher-order techniques seem much more difficult to incorporate into existing 
languages, because of the need for higher-order unification and matching to manipulate higher-order 
terms. On the other hand, while capture-avoiding substitution is annoying to have to implement 
in FreshML or aProlog, there is no conceptual problem in doing so; instead, the problem is that 
there are a large number of similar "boilerplate" cases that are conceptually uninteresting but have 
to be written anyway. 

The need to write such boilerplate code and the need to switch to a new language are two poten- 
tial drawbacks for programmers considering nominal abstract syntax. Recently, some progress has 
been made on both fronts, by projects providing nominal abstract syntax as a library or lightweight 
language translation rather than as a language extension, and employing generic programming tech- 
niques to alleviate the burden of implementing name-related boilerplate (or nameplate). Cheney ^1] 
developed a Haskell class library called FreshLib that provides much of the functionality of FreshML 
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within Haskell, and also showed how to use Lammel and Peyton Jones' scrap your boilerplate ap- 
proach to generic programming to provide reusable, generic definitions of capture-avoiding 
substitution and other nameplate. Pottier has developed Caml, a language tool for Objective 
Caml that translates type declarations decorated with binding specifications to plain Objective 
Caml programs that automatically deal with name-binding. Caml's binding specifications can de- 
scribe more complex binding structure than the one-name-at-a-time binding present in nominal 
logic; for example, Caml can express pattern matching and letrec binding forms. In addition, 
Caml provides visitor classes that can easily be overridden to implement capture-avoiding substi- 
tution. While these developments are encouraging, it is not clear yet whether nominal techniques 
can provide the same combination of convenience and efficiency as higher-order techniques. 

4.2 Automated reasoning 

A second major application area for nominal techniques is specifying and proving properties of 
formal systems, including logics, programming language calculi, concurrency calculi, and security 
protocols. 

Initial work of this form was carried out by Gabbay. Gabbay [30] implemented FM set theory in 
the Isabelle theorem prover, as a variant of Isabelle's implementation of ZF set theory (Isabelle/ZF). 
Unfortunately, Isabelle/ZF relies heavily on the Axiom of Choice, even in places where it is not 
strictly necessary. Because FM set theory is incompatible with the Axiom of Choice, it was nec- 
essary to re-develop a significant amount of set theory in Isabelle/FM. Gabbay also investigated 
FM-HOL, a form of higher-order logic based on FM set theory |^. As far as I know this has 
not been implemented; implementing FM-HOL as a variation on Isabelle/HOL would likely involve 
considerable effort because Isabelle/HOL also relies extensively on the Axiom of Choice. 

Gabbay's work was foundational in the sense that it attempted to incorporate nominal tech- 
niques into the surrounding mathematical foundations. While this is attractive because it builds 
several desirable properties into the foundations, it has a high start-up cost and requires potential 
users to adapt to the new foundations. One motivation for Pitts' development of nominal logic was 
to show how to work with nominal abstract syntax without leaving the mathematical mainstream. 
Pitts' recent paper j64j continues this theme by showing how to relate classical and nominal ap- 
proaches to a-equivalence. Based on this insight, Norrish Urban and Tasson j82l and Urban 
and Norrish [HU] have performed non-foundational formalizations of properties of the A-calculus in 
classical higher-order logic. Rather than build swapping, freshness, etc. into the logic, Urban and 
others have defined swapping functions and constructed nominal abstract syntax trees explicitly, 
and proved explicit induction or recursion principles. Although some additional subgoals need to be 
proved in this approach relative to a foundational approach, the start-up cost of implementing this 
approach appears lower, and the learning curve for users already familiar with Isabelle/HOL seems 
gentler. Urban and others are currently working on extending Isabelle/HOL's datatype package 
so that induction and recursion principles can be derived automatically for datatypes employing 
nominal abstract syntax. 

Nominal logic appears to be related to two other recently investigated approaches to formal 
reasoning about languages with names: the Theory of Contexts HH] and FOX^ Both have been 
used to carry out complete machine-checkable formalizations of properties of interesting languages, 
including the vr-calculus. 

The Theory of Contexts (TOG) is an axiomatic extension to the Calculus of Inductive Con- 
structions (or GIG), the type theory of the Coq system. In TOG, names are represented by an 
abstract base type V. Equality is assumed to be decidable for names. Moreover, there is a freshness 
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relation notin relating names and arbitrary values, and fresh names are always assumed to exist. 
Name-binding is represented using the function type V ^ X. The Theory of Contexts appears 
to be similar in some respects to nominal logic; in fact, Miculan, Scagnetto, and Honsell have 
developed a translation from nominal logic specifications to TOC specifications. This translation is 
sound (translates derivable formulas of nominal logic to derivable formulas of CIC/TOC) but not 
complete (some non-derivable formulas have derivable translations). This is because the Theory of 
Contexts is set in a higher-order type theory that is stronger than the first-order setting of nominal 
logic. Nevertheless, it seems fair to say that TOC is approximately equivalent to nominal logic 
in expressive power. The chief difference seems to be the handling of binding via a higher-order 
function encoding rather than an explicit axiomatization. 

Miller and Tiu have introduced FOX'^^ , which stands for First-Order logic with A-terms, 
Definitions, and the V-quantifier. As its title suggests, this logic includes function types populated 
by A-terms, but only permits quantification over "first-order" types (that is, types not mentioning 
o, the type of propositions). In addition, FOA^^ includes the ability to make definitions and 
perform case-based reasoning on the structure of definitions, and a novel self-dual quantifier V. 
Though V and 1/1 behave differently, Gabbay and Cheney developed a partial (sound but 
incomplete) translation from FOX^ (the definition-free part of FOX'^^) to nominal logic, and 
Cheney ^S] has developed an improved, sound and complete translation. Miculan and Yemane 
have investigated the idea of using the semantics of nominal logic as the basis of a denotational 
semantics for FOX^ . 

Computational techniques such as unification, constraint solving, and rewriting are very relevant 
to automated deduction. As noted earlier. Urban, Pitts, and Gabbay |HH first studied unification 
for nominal terms. Cheney 1161 113j noted that the unification problems their algorithm solves 
are only special cases of the problems that must be solved in general nominal logic programming or 
rewriting. The general cases of nominal unification (solving equations t ~ -u), freshness constraint 
solving (a # t), and equivariant unification (Btt.tt • t ~ n) are all NP-complete. In fact, even 
equivariant matching (that is, equivariant unification where one side is ground) is NP-complete. 
Despite this, several tractable special cases of these problems are known. 

A significant area for future work in this area is the investigation of nominal equational unifi- 
cation: that is, unification modulo an extension to the equational theory of nominal logic. Many 
structural congruences considered in concurrency calculi can be expressed by a nominal equational 
theory. For example, 7r-calculus terms are considered structurally congruent modulo axioms such 
as: 

X ^ P D nu{{x)P) ~ P nu{{x)nu{{y) P)) ~ nu{{y)nu{{x) P)) 

Fernandez, Gabbay, and Mackie |2SI have investigated nominal term rewriting systems. They study 
conditions for establishing confluence and show how existing higher-order rewriting formalisms can 
be simulated using nominal rewriting. They also discuss the implications of the NP-hardness of 
equivariant matching and present a syntactic condition on rewriting rules that ensure nominal 
matching is sufficient. Fernandez and Gabbay [2^ investigate an extension of nominal rewriting 
with a "hidden name" operation l/la.t; this operation behaves like the name-restriction operation 
ua.P in the vr-calculus. Gabbay 37^ has also proposed a novel approach to reasoning about contexts 
(that is, terms with "holes" ) based on nominal techniques. 

So far most techniques for automating reasoning with nominal abstract syntax have focused on 
general-purpose formal systems and proof tools such as Isabelle/HOL or Coq. In contrast, there are 
several lightweight, domain-specific applications for formalizing, programming with, and reasoning 
about various forms of higher-order abstract syntax, including AProlog 57 , Twelf Linear 
LF (lUj . and Concurrent LF "HB]. These systems seem to have a much gentler learning curve than 
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the general-purpose systems, yet are suitable for a wide range of applications. I am particularly 
interested in developing an analogous logical framework for nominal abstract syntax. The aProlog 
language can be viewed as a first step in that direction. 

On the other hand, the fact that nominal abstract syntax can be constructed explicitly in 
general-purpose reasoning systems such as Isabelle/HOL opens up another new direction: relat- 
ing denotational and operational semantics, and proving results via denotational rather than via 
operational techniques. 

4.3 Semantics 

Besides providing a foundation for programming and reasoning in the presence of name-binding, 
nominal techniques have several applications in logic and programming language semantics. 

Early work by Pitts and Stark and Odersky |59| studied name-generation in functional 
programming languages as a simplified case of general side-effects. Pitts and Stark's nu-calculus jHS] 
analyzed name generation as an effectful computation, analogous to reference generation in ML. 
Names could be introduced with a "fresh name" binder z^n.t, and tested for equality. The fresh 
name construction was interpreted operationally by maintaining a name-store: on encountering a 
lyn.t term, a fresh name is bound to n and added to the store. In some ways, this work can be 
seen as an early precursor to that of Pitts and Gabbay on FreshML jHS]. Odersky developed a 
quite different functional theory of local names [Hni- His Ai^-calculus is syntactically essentially the 
same as Pitts and Stark's nu-calculus. But instead of treating name-generation as an effect, the Xv- 
calculus deals with names in a local and functionally pure way. Odersky developed a denotational 
semantics for Xv in terms of name-swapping and support. This development clearly foreshadows the 
later developments underlying nominal logic, FreshML, and aProlog, although, of course, without 
the application to binding. 

Schopp and Stark 72 have developed a form of type theory based on nominal logic and the logic 
of bunched implications (BI) _69_. Intuitively, the idea of this system is to identify the "resources" 
of BI with the sets of names supporting values in nominal logic. This theory axiomatizes a type 
of names and includes "fresh" dependent products and sums 11*, S* (corresponding to \/"'^"', 3"'^"' 
in BI) in addition to ordinary dependent products and sums. Though very interesting, there are 
many unresolved practical problems in this setting (for example, it is not yet known whether strong 
normalization holds). 

One area in which reasoning about name-generation is of particular interest is in concurrency 
calculi, in particular the 7r-calculus. A number of researchers have investigated applications of 
nominal techniques to the vr-calculus and similar systems |33( I26| 178) . Ideas from nominal logic 
have also been incorporated into logics for reasoning about concurrency or data structures with 
name-hiding [Hlini- 

5 Future directions 

The equivariance principle is an integral component of nominal logic as currently formulated. With- 
out it, the l/l-quantifier would no longer be self-dual, and reasoning about function and relation 
symbols would be significantly more complicated. On the other hand, it has several undesirable 
consequences. As noted earlier, because of equivariance, aProlog's intuitively appealing proof 
search strategy based on nominal unification is incomplete; to obtain completeness, it is necessary 
to either place significant restrictions on the language or solve NP-complete equivariant unification 
problems. Furthermore, equivariance implies that no linear order on the set of names (or even any 
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finite nonempty subset) can be denoted by a relation symbol, since a < b and b < a cannot both 
hold. For this reason, I believe that finding an alternative approach to nominal logic that supports 
names, l/l-quantification, and binding without relying on equivariance is an important open issue. 

Model theory and database theory [JHI may be interesting places to look for inspiration concern- 
ing how to attack this problem. In model theory, the groups of automorphisms or order-preserving 
automorphisms play important roles. In database theory, generic queries whose answers are in- 
variant under permutations of the domain elements are often of interest. Thus, generic queries are 
similar to equivariant formulas. In addition, a great deal of research has concerned the impact of 
having a total order on the domain of individuals on expressive power. In this setting, one typically 
considers order-invariant queries whose meaning is independent of the linear order. 

Another important direction for future work is to reconcile nominal logic with well-known 
constructive or type-theoretic principles. I believe nominal abstract syntax is entirely satisfactory 
from the point of view of mathematical constructiveness; for example, nominal abstract syntax trees 
can be defined as an inductive construction similar to that used for ordinary abstract syntax trees, 
and by design nominal logic does not rely on the Axiom of Choice. Moreover, the proof theory 
and semantics of intuitionistic nominal logic has been investigated by Gabbay and Cheney |321 
I34[ II 5j. However, nominal logic seems challenging to integrate with type-theoretic approaches to 
computation and reasoning, because of its use of explicit freshness constraints, its non-confluent 
equational theory, and explicit fresh name generation. Some of these problems have already been 
encountered in purely functional versions of PreshML and in Schopp and Stark's dependent type 
theory with names. 

6 Conclusion 

Gabbay and Pitts' approach to formalizing abstract syntax with names and binding (i.e., nominal 
abstract syntax) is an important foundational development relevant to logic and computer science. 
It provides a level of abstraction for reasoning about languages with binding that lies between first- 
order abstract syntax (which is usually too low-level) and higher-order abstract syntax (which is 
powerful, but too high-level for some applications). Nominal abstract syntax also seems to provide 
justification for the kind of reasoning people already perform, rather than requiring new proof 
techniques. 

Nominal logic is an extension of first-order logic formalizing the principles of nominal abstract 
syntax. It has numerous applications, ranging from providing a foundation for a logic programming 
language to machine-checked or assisted proofs of language properties. In this column I have 
attempted to give an impression of the key ideas underlying nominal logic, how it can be used, how 
it is being applied, and how it might be improved. 
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